ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 23:05:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(allowlist): add tags filter to allowlist (#2105)

Browse Source
This commit is contained in:
Sergio Garcia
2023-03-21 11:14:59 +01:00
committed by GitHub
parent 5c2a411982
commit 51eacbfac5
6 changed files with 320 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

227
tests/providers/aws/lib/allowlist/allowlist_test.py
View File

@@ -4,6 +4,9 @@ from moto import mock_dynamodb, mock_s3
from prowler.providers.aws.lib.allowlist.allowlist import (
is_allowlisted,
is_allowlisted_in_check,
is_allowlisted_in_region,
is_allowlisted_in_tags,
parse_allowlist_file,
)
from prowler.providers.aws.lib.audit_info.models import AWS_Audit_Info
@@ -13,7 +16,6 @@ AWS_REGION = "us-east-1"
class Test_Allowlist:
# Mocked Audit Info
def set_mocked_audit_info(self):
audit_info = AWS_Audit_Info(
@@ -56,7 +58,7 @@ class Test_Allowlist:
audit_info, "s3://test-allowlist/allowlist.yaml"
)
# Test S3 allowlist
# Test DynamoDB allowlist
@mock_dynamodb
def test_dynamo_allowlist(self):
audit_info = self.set_mocked_audit_info()
@@ -101,9 +103,53 @@ class Test_Allowlist:
)["Accounts"]["*"]["Checks"]["iam_user_hardware_mfa_enabled"]["Resources"]
)
@mock_dynamodb
def test_dynamo_allowlist_with_tags(self):
audit_info = self.set_mocked_audit_info()
# Create table and put item
dynamodb_resource = resource("dynamodb", region_name=AWS_REGION)
table_name = "test-allowlist"
params = {
"TableName": table_name,
"KeySchema": [
{"AttributeName": "Accounts", "KeyType": "HASH"},
{"AttributeName": "Checks", "KeyType": "RANGE"},
],
"AttributeDefinitions": [
{"AttributeName": "Accounts", "AttributeType": "S"},
{"AttributeName": "Checks", "AttributeType": "S"},
],
"ProvisionedThroughput": {
"ReadCapacityUnits": 10,
"WriteCapacityUnits": 10,
},
}
table = dynamodb_resource.create_table(**params)
table.put_item(
Item={
"Accounts": "*",
"Checks": "*",
"Regions": ["*"],
"Resources": ["*"],
"Tags": ["environment=dev"],
}
)
assert (
"environment=dev"
in parse_allowlist_file(
audit_info,
"arn:aws:dynamodb:"
+ AWS_REGION
+ ":"
+ str(AWS_ACCOUNT_NUMBER)
+ ":table/"
+ table_name,
)["Accounts"]["*"]["Checks"]["*"]["Tags"]
)
# Allowlist checks
def test_is_allowlisted(self):
# Allowlist example
allowlist = {
"Accounts": {
@@ -119,29 +165,33 @@ class Test_Allowlist:
}
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-pro-test"
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"prowler-pro-test",
"",
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_wildcard(self):
# Allowlist example
allowlist = {
"Accounts": {
@@ -157,25 +207,24 @@ class Test_Allowlist:
}
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_asterisk(self):
# Allowlist example
allowlist = {
"Accounts": {
@@ -191,19 +240,161 @@ class Test_Allowlist:
}
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
)
assert is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
)
assert not (
is_allowlisted(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test"
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_in_region(self):
# Allowlist example
allowlist = {
"Accounts": {
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test": {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
}
}
}
}
}
assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
)
assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
)
assert is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
)
assert not (
is_allowlisted_in_region(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_in_check(self):
# Allowlist example
allowlist = {
"Accounts": {
AWS_ACCOUNT_NUMBER: {
"Checks": {
"check_test": {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
}
}
}
}
}
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler", ""
)
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test", ""
)
assert is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler", ""
)
assert not (
is_allowlisted_in_check(
allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test", ""
)
)
def test_is_allowlisted_tags(self):
# Allowlist example
allowlist = {
"Accounts": {
"*": {
"Checks": {
"check_test": {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
"Tags": ["environment=dev", "project=prowler"],
}
}
}
}
}
assert not is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"prowler",
"environment=dev",
)
assert is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
AWS_REGION,
"prowler-test",
"environment=dev project=prowler",
)
assert not (
is_allowlisted(
allowlist,
AWS_ACCOUNT_NUMBER,
"check_test",
"us-east-2",
"test",
"environment=pro",
)
)
def test_is_allowlisted_in_tags(self):
# Allowlist example
check_allowlist = {
"Regions": ["us-east-1", "eu-west-1"],
"Resources": ["*"],
"Tags": ["environment=dev", "project=prowler"],
}
assert not is_allowlisted_in_tags(
check_allowlist,
check_allowlist["Resources"][0],
"prowler",
"environment=dev",
)
assert is_allowlisted_in_tags(
check_allowlist,
check_allowlist["Resources"][0],
"prowler-test",
"environment=dev project=prowler",
)
assert not (
is_allowlisted_in_tags(
check_allowlist,
check_allowlist["Resources"][0],
"test",
"environment=pro",
)
)